If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Enjoy an ad free experience by logging in. Not a member yet? Register.

Setting Password Strength

I could use some advice on what is a *reasonable* approach on checking the Password Strength when users register or re-set their password on my website.

Security is extremely important to me, but there are some constraints as well, including...

1.) I don't want to make my website so difficult to use that it chases away the average (and even power) users

2.) I don't have months and years to read up on "Log-In Theory" and come up with some master scheme

My goal for this thread, is to start off with a reasonable approach to checking Password Strength, and then over the next few months come up with a more robust approach, which will likely use "Pass Phrases" among other things.

(Please no "flame wars" on this topic.)

Below is a snippet of code that checks for Password Strength in my "change-password.php" script....

// Check for Number.
if (empty($errors)){
if (!preg_match("#[0-9]+#", $newPass1)){
$errors['newPass'] = 'Password must have at least 1 Number.';
}
}

// Fou-Lu makes it sound like I don't need this section.
// Check for Illegal-Characters.
if (empty($errors)){
if (preg_match("#[\,\"\']+#", $newPass1)){
$errors['newPass'] = 'Password may not use Comma, Single or Double Quotes.';
}
}

// Not so sure about this one...
// Check for Special-Character.
if (empty($errors)){
if (!preg_match("#[\~\`\!\@\#\$\%\^\&\*\(\)\_\-\+\=\{\}\[\]\|\:\;\<\>\.\?\/\\\\]+#", $newPass1)){
// if (!preg_match("#[\W_]+#", $newPass1)){
$errors['newPass'] = 'Password must have at least 1 Special Character.';
}
}

if (empty($errors)){
// Strong Password.
$newPass = $newPass1;

}else{
// Weak Password.
// Drop through to display Errors.

}//End of CHECK PASSWORD STRENGTH

BTW, I don't know OOP yet, and I'd prefer to learn how to make a procedural home-grown Password-Strength-Checker for now.

IE: Reassign each strength "tier" (I will call it tier) string to a unique string. Then test the '$string' against each pattern, and when it catches a match, return the strength index (Weak, Average, Good - or whatever you assign to each strength tier

Good things to keep in mind: length + complexity.
At least one lower case
At least one upper case
At least one special character
At least x characters (8 sounds sufficient) excluding spaces
No repeating characters (3x characters or numbers in a row; I'd let them get away with 2x, but I don't think there's any "word" that conatains 3x).

There are many more other things that can be done. No dictionary words, no "like" word replacements (and = &, to = 2, etc, late = l8). Password phrases would be easy: minimum characters: 25.
Average users will not appreciate the pass phrases. Despite being a lot better and typically much easier to remember.

OO would only benefit by writing wrappers. So the ruleset can be refined by adding more filters to perform a specific task to check. Procedural can do that as well with functions. But the OO implementation is the same basic logic flow as that of the procedural code.

PHP Code:

header('HTTP/1.1 420 Enhance Your Calm');

Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

Good things to keep in mind: length + complexity.
At least one lower case
At least one upper case
At least one special character
At least x characters (8 sounds sufficient) excluding spaces

So is the code sample I provided above sufficient for now?

No repeating characters (3x characters or numbers in a row; I'd let them get away with 2x, but I don't think there's any "word" that conatains 3x).

How would I do that?

There are many more other things that can be done. No dictionary words, no "like" word replacements (and = &, to = 2, etc, late = l8). Password phrases would be easy: minimum characters: 25.
Average users will not appreciate the pass phrases. Despite being a lot better and typically much easier to remember.

Well, Fou-Lu, that is what I'd like to do with time...

Once this current version (v2.0) is done shortly, then I'll go read up on the whole topic of "Password Strength" and try to come up with something more "2013" than "2001".

I'm sure there is a way to require stronger Passwords/Pass-Phrases WITHOUT driving the average User crazy.

But I don't know what that is currently?!

OO would only benefit by writing wrappers. So the ruleset can be refined by adding more filters to perform a specific task to check. Procedural can do that as well with functions. But the OO implementation is the same basic logic flow as that of the procedural code.

What I meant was I believe there are some "super-duper Password Strength classes" already out there for free use, but since I don't know OOP, and don't want to know OOP for v2.0, it wouldn't be of help.

So it sounds like the code I provided would be a good place to start, right? (Other than I should add in a way to make sure someone doesn't type "D*****D**1")

Repeating characters can be detected using regex or by using iteration of the string and manually counting them. If you're going to iterate, than you might as well do all the other comparisons char by char as well since you need to evaluate every character anyway.

PHP Code:

header('HTTP/1.1 420 Enhance Your Calm');

Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)

Repeating characters can be detected using regex or by using iteration of the string and manually counting them. If you're going to iterate, than you might as well do all the other comparisons char by char as well since you need to evaluate every character anyway.

Is it expensive to iterate character by character through a password?

Any reasons why you would want to avoid this approach? (It seems like it might be the better way?!)

I guess that depends on what you compare it to. Using iteration will increase its weight lineally based on the length of the string. Shorter it is, the better it will perform even compared to what is here. The longer it is, the worse it will perform, even compared to what is here.
Doing all that needs to get done, I would expect you'd see better performance on average using regex. Overall it'll be about the same. If I have a password of 'aaaa' and allow all rules to evaluate, than iteration will win. If I have a password of 'this is my passphrase which is quite long', than regex will win.

PHP Code:

header('HTTP/1.1 420 Enhance Your Calm');

Been gone for a few months, and haven't programmed in that long of a time. Meh, I'll wing it ;)